This Week In Law 246 (Transcript)
Denise Howell: Hi folks, coming up on This Week in Law we've got Anupam Chander, Nicholas Kristin, Kevin Thompson, and me and were going to fly our Flappy Bird rights across a whole bunch of stories about the NSA and surveillance and antitrust, Time Warner and Comcast. We've got a lot of hacking going on this week; join us if you want to be safe, next on This Week in Law.
Netcasts you love, from people you trust. This is TWIT! Bandwidth for this week in law is provided by CacheFly at cachefly.com.
Denise: This is TWIL. This week in law with Denise Howell and Evan Brown episode 246 recorded February 14th 2014.
Are There Mushrooms?
Hello, you’re joining us for This Week in Law. I'm Denise Howell, your host, and we have an incredible panel of folks today to help us understand, process, un-pack all the latest developments and some very important developments at the intersection of law and technology. Those developments affect us all. Were very blessed every week to have such smart people come on the show and give us their opinions and insights on these kinds of issues. This week is no exception; joining us from the Davis McGrath firm in Chicago and cyber law central his great site, is Kevin Thompson. Welcome back to the show, Kevin.
Kevin Thompson: Thanks Denise, it's nice to be back and Happy Valentine's Day.
Denise: Yes, Happy Valentine's Day to you. IRC is already suggesting that we call this episode of This Week in Law: This Week in Love. So if you guys are feeling romantic feel free… It's in the air today. Also joining us as we dispense with some of the silliness is Nicholas Kristin from Carnegie Melligan – Carnegie Mellon University where he is an assistant research professor on information systems and security. Hello Nicolas.
Nicolas Christin: Hi, thank you for having me.
Denise: That was Mulligan for the day - Carnegie Melligan! Let’s hope I don’t need another one. Also from UC Davis here in sunny and dry California is the author of the Electronic Silk Road, Anupam Chander. Hello, Anupam!
Anupam Chander: Thank you for having me on, Denise.
Denise: Thank you for joining us. Anupam is also a professor at UC Davis, the director for the California International Law Center, and his research focuses on the relation of globalization and digitization. That's quite a topic, quite a research nut to crack there!
Anupam: Everything in the world, really.
Denise: Yes exactly, hard to fit anything under that rubric. All right it seems to me that almost everything in the news these days has some sort of privacy overtone, so let's start there and try and begin to understand what's going on. Anupam, let's talk a bit about your book and how the Internet is a Silk Road between the various nations of the world that has never existed in this way before. So give us - for those of our audience who haven’t had the pleasure of reading your book yet - give us the overview and your basic premise.
Anupam: Well, the ancient Silk Roads connected civilizations so there were incredible passages across thousands of miles or kilometers. They really super powered technology transfer during their time and it enabled people to access the best of the world, essentially the world of their time. So of course that's the Internet today, that's what the Internet makes possible, but where the ancient Silk Roads focused on goods the new Silk Roads are focusing on information. So where it was goods before it's now the sale of services or the offering of services. So we have incredible riches that are available to the world through this kind of information transfer that the Internet makes possible.
Denise: So when we're transferring information around, of course, the question of the sensitivity of that information and the importance of it to individuals and businesses, the importance of its confidentiality perhaps comes into play each and every time something is transferred on this Electronic Silk Road and is stored at some particular node upon it. So course, for months now we've been watching the story and the fallout from the story on NSA surveillance unfold. Can you explain to us, Anupam, how the question of surveillance and security of information impacts the Silk Road?
Anupam: So one of the things I do in the book is compare various parts of this new Silk Road. So I compared the United States and Silicon Valley in particular with India and Bangalore and various hubs for electronic services, electronically mediated services. And I compare also China, the heart of the ancient Silk Roads. What I do is note that with respect to India and China they both have an incredible array of talented people who could have offered services to the world and in fact you may have better infrastructure in China in a variety of ways but it was India in the end that became a champion in services rather than China. My suggestion is that the great firewall of China is part of China's problem in this way. Not the firewall of China created these interruptions to data flow across borders. Interruptions that couldn't be tolerated in a very highly fast-paced data processed world, but furthermore that people would be reluctant and Denise you put it well that data flow has all these implications about privacy. People would be reluctant generally to transfer mass data to a country where the government has few limits on domestic surveillance. So the great firewall of China I suggest became a way to not only keep American companies out but to keep Chinese companies in.
Denise: Got it. Okay, so in our own country here of interest both to those not residing in the United States and those residing here who find their own information swept up in the surveillance of non-US citizens we definitely have people up in arms in a way that we have seldom seen as far as protests over government action. We now have a US Sen. Sen. Rand Paul, who this week filed a class action among the various other lawsuits that are pending over NSA surveillance. The lawsuit of the week on this has been filed by Kentucky Republican Sen. Rand Paul working together with conservative advocacy group Freedom Works, pending in District Court and the DC circuit in suing the President, the NSA, director of national intelligence James Clapper, Keith Alexander of the NSA, FBI director James Comey among others and alleging that literally hundreds of millions of class members may be impacted by this lawsuit because of the scope of NSA data collection. I bring this up, obviously there are many legal and constitutional challenges, this one appears to focus on the fourth amendment, others have taken the first amendment approach to challenging the surveillance programs in the United States. I'm wondering if anybody - and will start with you Nicholas, thinks that this lawsuit has a better chance than any of the others that are pending, in actually achieving some kind of reining-in of the surveillance in question.
Nicolas: It’s a good question, it's very hard to answer because - so I'm a technologist; so I’m not necessarily able to judge the merits of the legal aspects of the lawsuit. What's interesting here is that you have an actual Sen., so somebody with a certain clout who is actually actively engaged in this. What is very interesting from a technological standpoint is that it's all most impossible to differentiate between US and non-US traffic on the Internet. First you have to define what is US traffic? And I myself am a good example of that, am I a US person because I'm residing in the United States, have I not because my citizenship is different? There are a lot of questions that the framework is not very well defined. At the technological level it's not like bits that are circulating on the Internet are carrying a little flag that says I’m a US bit or I'm a French bit or I'm a German bit. So whenever you're looking at surveillance on a large scale it's going to be almost impossible to make sure that you're not collecting data from people that you shouldn't be collecting data from. So in that respect I think that some of the arguments that have been raised by the various people involved in the lawsuit from a technological standpoint they do have some merit. Whether or not it's going to be successful we'll have to see.
Denise: Anupam I think that is a really excellent point and raises some issues right in your sweet spot as our scholar today on issues of international law that of course it's not just US citizens who have an interest in this lawsuit but since the NSA programs are directed towards non-US citizens certainly those individuals have an interest in it as well although perhaps no opportunity or legal basis grounded in international law to have a say in how much they are surveilled by the US government. Can you kind of unpack for us where things might stand both for those in the US where we can look to our Constitution to challenge these things and outside the US who are governed by our Constitution.
Anupam: Nicholas is in a good position actually, he's sitting in Pennsylvania where he is, despite being a French citizen, he is protected by the fourth amendment quite fully. However if Nicholas were back home in France that defense under the fourth amendment would not readily be available to him. That is a real problem; we don't in our law constrain our intelligence services when they're acting with respect to non-US persons outside the United States. I think that is a shame.
Denise: Could you expand on that a bit. I sort of see as you're talking about the great firewall of China and the various policies that are in place there for both Chinese nationals and people who live outside their country, that we seem to be rolling towards this state of affairs internationally where every country spying on every other country. Wait a minute, have we been in that state of affairs for quite some time now and deal the checks and balances are everybody's doing it to one another. Is there anything internationally that can or should be reining this in?
Anupam: I think that governments are going to have to rein themselves in largely here. It's going to be hard to come up with international treaties or even silence agreements between Allied states not to surveil each other. I think really it's going to be the onus of governments to say that they won't do it, to tie their own hands. Now of course promises shared amongst each other are going to be important but I think one crucial reason to tie our hands in this process is because what I said about China where China becomes not an attractive place to place all your data because you don't trust what the government of China with that data; might be said of the United States. So essentially if we believe that the information economy is crucial to our future - that our success as a people relies on the ability of American companies to maintain their leadership as Internet service providers in the world that I think we have to make sure to curtail what we’re doing abroad. I think we have a strong economic interest in stopping this kind of behavior.
Denise: You’re talking about people internationally voting with their feet and deciding we’re not going to do business with US companies anymore. It's just too dangerous, too hazardous, if we care about our data and maybe there will be a search engine out of Norway that promises security, doesn't reveal information unless in extreme and very limited circumstances to government inquiries and we will flock in the millions and billions to do business with that search engine rather than Google or Yahoo. Is that what you're seeing or envisioning playing out?
Anupam: That is one approach that's being taken around the world. But if you reflect on it for a second you can see why that's not a tenable approach. Remember what I said about Nicholas, Nicholas is better protected being in the United States and so by choosing an offshore service entirely, a Norwegian service that only serves Norwegians for example; you are creating essentially a totally wonderful space for American intelligence service to operate without any constraint whatsoever. In fact you are increasing the likelihood of American no holds barred intelligence by choosing services offshore. Remember it's the foreign intelligence surveillance act - the only limitations are when it implicates US persons. So by moving to a Norwegian system, one that's likely to not be as well tested, as well capitalized as many other systems, you're actually likely increasing the vulnerability to American surveillance not decreasing it.
Denise: Excellent point. Kevin getting back to the Rand Paul lawsuit, I'm wondering if you have any thoughts about that or some of the infighting that seems to be going on and accusations that are flying around now about some of the lawyers involved. It seems that e-mails have leaked insinuating or perhaps demonstrating that one of the lawyers was sort of ousted from the lawsuit and wasn't included on the complaint and was not adequately a major player in the suit that he was told that he was going to be. Are these just lawyers, sniping at each other, distracting from the larger issues here?
Kevin: I think when lawyers are involved there's always going to be egos and certain egos have been stepped on a little publicly in some of this and they think that that's always the case with big-name lawsuits. That's almost inevitable that something like that's going to happen. I just think it's interesting I don't really know the merits of this particular case versus some of the other cases that are pending. I haven't had a chance to really sit down and compare the particular cases. Here we have a conservative Sen., coming in with a conservative group that is complaining about a government policy that started under the prior administration. It certainly has been kept in place by the Obama administration but it certainly wasn't initiated by them. The conservatives now are like surprised and shocked to discover that there is this NSA surveillance going on. At the same time it's also interesting, there's other senators that have had to have briefings on this. Other senators haven't been able to really find out what the NSA is actually doing and they're forced to turn to these third-party experts like Bruce Schneier some of these others that are technologists that are actively studying the Snowden documents and so forth, just to see exactly what the NSA is doing. Senators don't seem to really know. It's certainly a nice thing to see that people are starting to be concerned and there is public awareness of this particular issue I think one of our other articles dealt with the outcry from the general people. There was the day the Internet cried out –
Denise: EFF on February 11 put up “The day we fought back” an information and activism site. It's not just EFF it's a whole coalition of sites and organizations including ACLU and Readit. You can go check out thedaywefoughtback.org and there are nice little tools for calling your representatives in Congress e-mailing your legislators and a bunch of information trying to rally grassroots support around this in much the same way as we saw with Sopa and Pipa a while back. Kevin do you think - apparently they say, let's see how many folks did they get? I think I snippeted this. In one day over 71,000 concerned Americans picked up the phone and told their congress people to rein in the NSA; far more sent e-mails to their members of Congress. Around the world 200,000 put their name to a set of founding principles against suspicion-less surveillance by the NSA, by their own governments and anyone who dares violate our human rights. So obviously gentlemen, this doesn't have the force of law but this sort of thing as with Sopa and Pipa can have an impact. Kevin was this a worthwhile thing for these organizations to do?
Kevin: I think it certainly was. I think the more people that are involved, the more people that decide to call their congress critter and otherwise to cause awareness and Congress that this is an issue that they personally are concerned about. I think that is a great thing. I happen to know that there was even a small physical protest that came by our offices that day close to five o'clock during rush hour. It was just a small protest but still kind of nice to see that there were people that took to the streets to publicly raise awareness of the NSA and its activities.
Denise: The EFF said they had coverage on CNN and PBS and the Guardian, the Washington Post so definitely a great way to bring attention to the issue. Nicholas, do you have any thoughts on what happens next, as far as maintaining grassroots support?
Nicolas: I think the grassroots support from people who are supporting that EFF and the other organizations devoted to fighting for privacy - it's always been, I mean this isn't something that started two weeks ago or even last summer. What is important though is I think in this specific case this type of actions lead perhaps the mainstream, people who are not technologists, people who are not even necessarily cognizant of the issues of online privacy, to actually see that this is an important question. Now whether or not it's going to be effective again - this is not something that I can assess right now. But I think that one thing that may be useful and again in terms of developing awareness and when you have awareness then you start to look at perhaps the technological solutions that you can use to at least make surveillance a little more difficult. I'm talking about encryption, using an anonymous network and things of that nature. They're not going to solve all of your problems but they will make it harder for your traffic to be completely exposed.
Denise: Anupam, were there demonstrations on campus where you were?
Anupam: At the law school we're so busy just basically learning the law that we aren't typically out in the streets, but I think there's reason to be out in the streets don't get me wrong. I was one of the people who called in yesterday. I think many people in the audience not may be among the tech folks but generally are kind of indifferent to this issue. They're thinking; so what the NSA has my data. Who cares? I don't care, I'm not a terrorist. I think it's actually quite worrisome. I think it's worrisome of we start assuming that the NSA has our data. So I think that in itself is a problem, why - because if we then assume that the NSA has our data we may be afraid to call someone and say something bad about the government. Now you may think that sounds ridiculous but I want to bring a kind of real world example here. This is Gov. Chris Christie, these last few weeks and the response that he's had to the accusations against him. Now we have one of his former members of his staff essentially - I'm sorry the person that he appointed to the port authority, and very high-level person essentially accusing Gov. Christie of knowing everything about the bridge closure. What Gov. Christie did was turn around and accuse that person of being untrustworthy. Imagine if the governor had all the tools of the NSA and the NSA had all the data. I think the governor might well have had more arrows in his quiver to use against this person who's complained about the governor. That's the worry that we might have. We would move essentially towards a kind of self-censored world where no one will say anything that might bring them - where someone would never complain about the governor, knowing that would mean exposure of their secrets, or the secrets of their children or loved ones. That's a world in which we can't live. That is 1984 brought home.
Denise: That sounds a bit like one of the arguments that might be asserted in one of the first amendment challenges to NSA surveillance which is going after the fact that if you're monitoring phone metadata then you have access to people's associations and various other things that would be protected under the First Amendment, or is it broader than that Anupam?
Anupam: I think it is truly a First Amendment issue as you are describing. It's where people will no longer say something that they believe because they're worried about the consequences. They want to even say it, because of the electronic media they won't even say it on their social networks, they won't complain because they know that other people- they worry at least that the government is listening and the government will then if it's annoyed with them in any way come down hard on them, exposing their secrets. Every one of us has reasons to worry, we may not have done anything criminal there are always things that people will not want exposed to the world. We'll publish our Gmail to the world, we don't publish our e-mails to the world but imagine if that was the way you had to speak. Every e-mail, every communication, every Facebook post was essentially one to the world. I think that would be a scary world and I think that's one we have to avoid creating.
Denise: It would, it would be scary and noisy at the same time. Let's go ahead and make “fighting back” our first MCLE passphrase for this episode of This Week in Law. If you are a lawyer or someone otherwise in possession of a bar card in the jurisdiction of the United States you may very well have to meet minimum continuing legal education standards. We try to help you out with that, we've got a whole bunch of information over on the twit wiki at wiki.twit.tv if you're listening to the show and hoping to get some MCLE credit out of here in the wonderful insights of law professors such as professor Chander with us today, then definitely go for it. Let us know how you're doing with that. Fighting back is our first phrase to be able to demonstrate if you need to, to some oversight authority that you actually listen to or watched the show. We'll put another one in the show a little later on. Let's move on from considering the information that the government is gathering and using in various ways to information the individuals are accessing and gathering that governments are frequently up in arms about. This is been a big couple of weeks for hacking. Let's start out with the story that I don't think necessarily even falls under the rubric of hacking but it does tie and with what Kevin was saying a moment ago about law makers and perhaps a different case in France, judges and those determining legal disputes not being terribly up to speed on the technology that they're making decisions about. This was a really interesting incident involving a French blogger activist and businessmen named Olivie Loureille and what he did basically was liberate some information that was being stored online by the French national agency for food safety, environment and labor with acronym ANSES en français. He stumbled on 7 gigabytes internal documents from this agency, simply by doing a Google search! He's a journalist; he runs a site called Le dot info, a community project to connect journalists and computer networking specialists it is described as. Olivie found this information, decided well this is not locked down anyway, I'm getting to it from a Google search, I do not have to enter any passwords or credentials to access this information, and its public information from a public agency. So instead of pointing that out, that the information was available or letting the agency know that hey you might want to protect this information a little bit better, he actually made copies of it, it resided on his server, and then he in turn published the information himself. That got him in trouble in court, there was a trial proceeding where the trial court concluded that since he hadn't actually done anything to circumvent security to access this information that he could be charged with criminal penalties. However there was then and appeal and the court on appeal just seem to have a failing of understanding of what went on here. And he wound up getting charged the equivalence of US$4000, fined that for his activities. Nicholas do you look into that and can you give us your thoughts on it?
Nicolas: I saw the article and I read the news and it was quite interesting. Apparently what the appeal court said was yes the information was publicly accessible and publicly available which it shouldn't have been but it was by some misconfiguration of the server, but what the person should have realized was that this was a supposedly protected network and apparently because they kind of discovered that while they were they were looking for those documents and when they found them they also saw that there was some sort of authentication service before that which just wasn't working. It wasn't doing anything. Because they were aware that this was probably supposed to be protected documents then they were a fault for publishing them to the world even though they were already there. To me it's a little bit weird and interesting at the same time that this guy is being fined essentially for being perhaps indelicate but at the same time this stuff was already online. He is, in my mind paying for the incompetence of whoever is supposed to protect those documents for that agency.
Denise: It seems like he is being fined for his bad judgment here as opposed to any sort of criminal activity per se. Perhaps as you said it was indelicate of him to not let the agency know that this was a problem and instead just make it public himself. But the other thing that strikes me and it's something that we see happen over and over again; that simply guessing your URL or your stumbling on it in a Google search is equated with hacking. Part of the disconnect there is the fact that as Kevin was eluding to earlier there's this sensation on the part of decision-makers that's something amiss happened here but they don't really understand the technology. Do you agree with that Kevin?
Kevin: I think so. I think as you say this is the first case where someone has managed to figure out the URL and lo and behold there is information there at the end of it. You can get the directories; you can get the information that is there. As Nicolas was pointing out it's a misconfigured server but at the same time it is accessible. I think you're the decision is what to do with that information once you have it. I know that the people that had managed to guess that Apple user IDs for the developer service I think part of that was they'd figured out the structure. That's a similar attack. There are plenty of examples like this in the past where this type of thing has happened and for it to be classified as hacking, I think that's a bit of a stretch. It certainly is using the computer in a way that people don't want you to do but it isn't necessarily - it's pretty low on the list of hacking skills in my personal opinion.
Denise: I have trouble thinking of something like that as hacking at all. It's really more activism. Anupam are you concerned about this as president or do you think this is kind of a fluke?
Anupam: I think it's more than a fluke. I think the issue of accessing information - not through kind of breaking through some kind of protection schemes but stumbling upon it and that leading to potential criminal liability is really problematic. I want to turn our attention to a domestic case. In that case, the case involving Lori Drew that people know about there was the issue about bullying and there was a girl who committed suicide - very tragic case. But there was a prosecution for violating the computer fraud and abuse statute and the prosecution argument went like this; she accessed essentially MySpace, Drew accessed MySpace in violation of MySpace’s terms of use. And therefore they said she was a computer criminal. I think we have to be very cautious about that. The federal district judge actually threw out the state jury verdict so it all worked out okay under the computer fraud and abuse act. You can imagine these interpretations of the law that really stretch to make anything that we might do online that troubles the proprietor of the website and goes beyond what they would have liked, to be illegal and perhaps even criminal.
Denise: And of course the Aaron Swartz case had ever made it to trial would have involves similar kinds of issues. So it's not as though we don't struggle with that here in the US as well, particularly under the computer fraud and abuse act as you mentioned Anupam. Let's move on from someone who was not it seems engaged in criminality per se but then wanting information to be free and wanting to alert the public to the situation that we've been discussing to actual cyber-crime. Folks harvesting personal information, credit card information, for fun and profit as far as they're concerned. This is obviously getting worse as opposed to better, very much in the news the last few weeks with Target and Neiman Marcus and others being hacked and having data releases. If they were oil rigs would be out there trying to mop up but it's very difficult to mop up credit card data once it's out there. Nicolas can you give us your overview on what's been going on and sort of the state of affairs as far as credit card security goes these days.
Nicolas: what happened with Target was particularly bad, because what got broken into was not some sort of database sitting in a server but what the people that were behind this managed to do was install some malicious software, malware, in the point of sales, meaning the cash registers. So basically if you went to target during the time the attack was going on and you swiped your credit card, basically these people have all the information that is on the card. That actually suggests that the current payment system and infrastructure, signature-based magnetic stripe-based cards may be a little bit obsolete to protect ourselves against these types of threats. There's been a push to actually move to things like Chip and Pin– EMV type of card where instead of having just your typical plastic card with the magnetic strip in the back which you authenticate by signing a receipt. People have been saying that it could make sense to move to a chip and pin where on the card itself you've got a chip which is a little bit like the SIM card in your phone. It's basically the same technology, and of that chip is able to perform very small computations such as for instance verifying that you have the correct pin. So the pin doesn't have to go to the register itself. The only thing that goes to the register is: okay this card is actually valid and the person who holds the card knows the pin. If that had been deployed presumably the magnitude of the attack would have been a lot less. Now this is not what we have in the US and because of that now there is about 40 million credit cards and debit cards information that is floating around. I don't know how many of those are floating in black markets. If I were this person I wouldn't open all 14 million right away I would constrain the supplier a bit so that the price of those commodities in the black market don't collapse. But the points is that you've got a ton of credit cards out there. – Not going to be that impacted in the sense that we have laws in the US that prevent people from being liable for most of the purchases being made by those credit cards, but it's going to be a mess. It's going to take quite a long time to clean up.
Denise: Let’s talk about the changing technology - the chip and pin strategy that people seem to think would be the solution to this. There are some credit cards in use in the US that have chips onboard correct? I think I have one in my wallet right now.
Nicolas: Yes but it is chip and signature. So it's the proverbial it takes two to tango. If your card has a chip but the place where you swiped it is not able to read that chip or talk to that chip then it's as if you didn't have anything. Most of the payment infrastructure in the US is based on technology that was developed in the 70s and early 80s definitely did not support chips. That's where the real costs lie if we want to upgrade our cards to chip and pin, upgrading the cards is not that difficult but you also have to upgrade the payment and infrastructure so that they can talk to those chips and right now we just do not have that.
Denise: Is there a concern about RFID leaking if we have information stored in chips on credit cards?
Nicolas: There could be, it really depends on - right now there's no leak of information because there's no chip there's no nothing. Of course as it's being developed and solutions come to be implemented I'm sure that people like me will try to find ways of attacking those cards and seeing what kind of information we can actually access. At least it would get the process going. This is something that has been used in Europe for I would say at least a good 20 years we've had chip and pin cards. There's been a bit of academic research that shows that chip and pin cards is not a perfect solution, but in this kind of game we don't necessarily want to perfect solution. We want something that is a good enough defense so that the attacker doesn't really have any incentive, any economy incentive to try to breach your defenses. So the goal is not to have perfect security, the goal is to have security that is good enough that the bad guys prefer to do something else because it's not in their best interest to try to break into that system. We’re very far away from that the moment.
Denise: It’s being mandated in the United States by the end of next year isn't it?
Nicolas: I don't know if it's going to be mandated. There's discussion that yes it should be by 2015 with potentially some interesting liability regime as we are transitioning but whether or not this is going to even happen or whether were going to move from chip and signature is not very useful. All of this is up in the air.
Denise: I think the liability shift is an interesting thing for us to talk about. There's an article in the Wall Street Journal about the end of the swiped and sign credit card and this October 2015 date. I don't know if it's a deadline or a target or improving the security of credit card technology in the United States. One of the notions is known as the liability shift and as you know if your credit card user, if you've been victim of credit card fraud you basically get to call up your company and say hey it looks like there's unauthorized activity here, or maybe they're calling you and letting you know that, but you're off the hook. But who is on the hook and who will be on the hook under this liability shift doctrine is the person with the worst security. So the person and the Chamber of Commerce whether it's at the point of sale or the credit card company themselves that will be the institution on the hook and so the incentive would suggest that we would have better technology if everybody was trying to flee from that liability. Do you think that this is a good strategy Anupam?
Anupam: I'm worried about major shifts like that. I don't have a view on the subject one way or the other but it does strike me as worrisome that if we have major shifts in who has liability and then comparisons between who has more or less security - I think that's going to lead to a lot of litigation. It's going to get to my students and the lawyers in the audience. But I wonder if that's good for society at large. Now I do think that we have a problem. I definitely think there's a problem. When I traveled in Europe this last summer Europe has this chip and pin system everywhere. In fact I couldn't often use my credit card, it was actually useless. And I had to make sure that I had Pounds or Euros on hand because I would not have been able to pay with a credit card. So I definitely think that we've got serious problems. I do worry when we have radical changes in the law - especially law of liability.
Denise: Nicolas under chip and pin - you would always have to enter your pen on a keypad for every transaction?
Nicolas: If it's fully deployed yes but I think that we are so far away from that here in the states that you probably would have some sort of transition regime where there would be signature-based verification. What would be really interesting would be to see how liability is enforced then. What I've seen seems good but the devil is going to be in the details.
Denise: We’ll have to continue watching that unfold. Kevin, do you have any thoughts on credit card security?
Kevin: I just had one question for Nicolas. I didn't see anything in the article that really stressed online retailers and how they would handle the chip and pin type. How do the companies overseas, who currently is the chip and pin system do that?
Nicolas: Long story short they don't. Chip and pin is something that helps you for what's called “card is present” type of scams, where the card gets stolen by a waiter or point-of-sale like Target got compromised. But online you cannot - it just doesn't work the same way. Online you’re back to card isn’t present type of scheme. Now what I want to say is typically the breaches of card not present are much, much, smaller than card is present type problems - meaning that if your credit card is physically stolen that is something that happens a lot more than having your credit card being stolen online.
Denise: What do you think about the security of systems like Square Nicolas? Again that involves a swipe typically with a little card reader and the Square software. Do you have any opinions on alternative card transactions - Square not being the only one out there?
Nicolas: Right now what Square does is, is to have a very small magnetic stripe reader which is - essentially what it does is it reads off your magnetic stripe and converts that into signals that can then be processed by your phone or an iPad. So that's 100% magnetic stripe. I don't think this is what Square bases their business on, they base their business on being a novel payment system and the interface that you're using - it's that small square thing that you use to scan a magnetic stripe or if they move to something that can actually talk to a chip if we have chips in our cards soon. I don't think that's going to affect them much.
Denise: Ok so were all quite keen on our boots about the security of our credit card information, I guess that means were all going to convert our cash into bit coins and go that route right? Isn't that what we're going to do? What do you think Anupam?
Anupam: I think people are still going to use credit cards just because of their convenience so I'm not sure that the ordinary use of bit coins is right around the corner. Of course we have credit cards based on bit coins which might be the next step. I think there's a lot to be done in this area. We are far from being where we need to be. Now we have to remember that credit cards are not used around the world at the same pace as they are in the United States and a few other jurisdictions. Credit cards are really such an incredible importance to commerce and so we should make sure that we don't make it impossible to be a credit card provider - though I think that credit card providers have not been entirely responsible in all this.
Denise: Nicolas it's been a bad week for bit coins on a couple of fronts. Have you been following both the denial of service attack on the exchanges earlier this week and also Silk Road 2 came out and admitted that they had been hacked and had lost over 4000 bit coins?
Nicolas: In both cases is ecstatically the same problem. So first of all this is a problem that has been known since about 2011 and it's actually not something that should be such a major problem. Let me try to explain a little bit what's going on. What's going on is called Transaction Malleability. Rather than going into graphic details let me give you an analogy with the real world. If I give you a check on the check there's going to be my account number, there's going to be the name and there's going to be a check number and an amount. So when you get this check you cash it and I can see that check number 112 has been cashed. Bit coin basically works more or less in the same in the same fashion. There's no centralized bank and all of that, but that's not actually really relevant to what we're talking about right now. What this attack is, is, that you cannot change the amount, you cannot change the sender, you cannot change the recipients but you can actually change the equivalent of the check number. That's called a transaction ID. This means that if I give you a check, check number 112, you can scratch that off and change it to 200 for instance. Then you go to the bank and you deposited and then what you do is you tell me hey, I've never received the check that you sent me. Look at your records, there is nothing about check 112. I look at my record and I say yes indeed and then you convince me to actually re-issue the transaction for the same amount of money. So in itself it's not a problem unless the party who is paying uses only this check number, this transaction ID as a way of tracking once the transaction has been completed. That shouldn't happen. People shouldn't be doing that they should be checking who is the sender, who is the recipient's and what is the amount. That is unforgeable so there shouldn't be any problem except a law of implementations of wallets and online bit coin systems actually still use the transaction ID. So that's why we're having a problem right now. There are a lot of bogus transactions that are created like that and as well as what apparently happened on Silk Road 2. So that’s exactly the scam I discussed to essentially empty the main escrow which is the more or less the vault of Silk Road, to empty this escrow account and run away with the money. So that's where we are.
Denise: Anupam do you think the international Silk Road of the Internet and online transactions is getting a bad name from things like Silk Road and Silk Road 2?
Anupam: you know I think was banditry on the ancient silk Roads, there's going to be banditry today. There will be people who use these passages to transfer illegal substances. That's the history of humankind. I don't think we should say that the Internet is particularly more of a cesspool than our ordinary lives are.
Denise: Are you surprised that bit coin which seems to appeal to those on the fringes and those on the cutting edge of engaging technology - that people in that situation seem prone to not only using it but to hacking it.
Anupam: Hackers are always the - computer enthusiasts always think they are the best computer enthusiasts so I'm not surprised that people might be surprised that there would be someone better than them in computer security. This again goes back to my concern about Norway setting up its own allegedly secure system. There will always be someone else who comes up with the way to defeat that system. We just need to know that security is going to be a persistent problem in cyberspace as well as elsewhere.
Denise: Kevin, are you putting everything into copper silver and gold?
Kevin: I think there's plenty of reason to not be involved in any of those as well. Bit of a scam there in certain exchanges. Bit coins, I think they're going to be great for those people who want to use them and I think once they work out some of these issues, the transaction IDs - the current one - but I'm sure that there will be other issues going forward. It's a new system and the new currency and I think going forward it's going to be great for people who really want to use it. Whether it’ll ever get mainstreamed or not that's another matter. I sort of doubt I'll ever be able to pay my mortgage in a bit coin. But for those people who want to use it I think it's a fine thing.
Denise: Let’s
move on to some questions of law and policy and regulation. Where it's in order
and where it's not. Anupam, you had a very
interesting article last fall called “How Law Made Silicon Valley,” pointing
out the differences between how United States law, starting at about the turn
of the twenty-first century, began encouraging commerce and innovation,
particularly around the Internet, by doing away with things like intermediary
liability (Under the Communications Decency Act, Section 230), [and] various
other provisions that help businesses move ahead in the United States in ways
where they might be hampered abroad. Do you see any shift taking place there?
Do you see other countries starting to emulate us, or is the US still the place
you want to be doing business if you’re an innovator?
Anupam: I think the US is still the place you
want to be doing business if you’re an innovator. I do think that we have to
worry about the United States, generally. I think there are always reasons for
concern and watchfulness. But the central premise of my article is that, where
the United States approached the Internet with hope, the rest of the world
approached it with fear. There’s reason for both hope and fear on the Internet,
don’t get me wrong. There are a lot of good things on the Internet, and there
are a lot of bad things on the Internet, that we’ve just discussed. But the
rest of the world worried more about the costs – the harms – that would arise
from the Internet, and we worried more about the opportunities, and the
possibilities that it created. So, particularly, we’re concerned and moved by
the possibility of improving access to speech, and that under-girded much of
our early interventions in favor of these information intermediaries, which of
course are the new speech platforms of the day. They are the new CBS, and the
town hall, that exist today.
Denise: Right.
So, you give the example that something that might be celebrated in the United
States could lead to jail in Japan. Could you give us an example of that?
Anupam: Sure, sure. I talk about a programmer
in Japan who essentially came up with a protocol – a P2P file-sharing service –
called “Winny,” and instead of being celebrated for
being an Internet entrepreneur, he was actually
charged with criminal offenses. What was his crime? That he continued to allow
the downloading of his software, the P2P file-sharing service, even after it
became known to him that some people were using it for copyright infringement. So,
if someone is using your system for copyright infringement, and then you
continue selling that system, or providing that system (he was giving it away
for free, of course), then you are a criminal. Now, that is a remarkable story.
Imagine if we placed the same standard for Steve Jobs, with respect to iPod. We
wouldn’t have the innovation that we have today, if we followed these kinds of
rules. And that, in fact, is exactly what hampered— Japan has had far better
Internet backbones than the United States for a long time. I took a train Japan
has had far better Internet backbones than the United States for a long time. I
took a train, in the 1990s, to Narita Airport from Tokyo, and the young woman
sitting next to me – looked like a college student or something – she took her
laptop, she took her phone, and she tethered her laptop to her phone, and surfed
the Internet. This was at the end of the 1990s.
Denise: Mmm-hmm.
Anupam: You still don’t see that in the
United States today. So, Japan had all the technology one would want, but its
law turned out to be highly risk-averse: “We don’t want to have something like
P2P, because it allows for lots of copyright infringement.” But of course, P2P
is exactly what I’m using right now to talk to you! (Because
I’m using Skype…) So all the innovations that have become possible would
not be possible in a world where the law is too worried about the risks and the
harms.
Denise: So, we
want to, as much as possible, try and keep the barriers to people innovating
down, but at the same time, we need protections against the other things we’ve
been speaking about on the show today. Maybe not so much protection for
copyright holders, but protection certainly for those possessed of that
confidential data that they want to keep confidential and secure. Is there a
tension there?
Anupam: Certainly there’s a tension between a
desire to keep everything secure, and the desire to use these incredible
systems which create such power. You know, I was reluctant to venture into
Facebook myself, for example, because of the risks of private information being
publicly disclosed. So I think these are important issues, generally, for
society, but I think if we act in a way that makes the burdens, the liabilities
fall on the intermediaries of speech, then essentially what the speech
intermediaries will do, [they] will either shut down, or they will shut speech
down. So those are the two options left to the speech intermediaries for
widespread liability, and I think that is exactly what the United States did not do in the 1990s, and into the last
decade.
Denise: Ok,
thanks for that. Nicolas, I wanted to backtrack before we get to our next story
on Comcast and Time Warner here in a second… I wanted to follow up on something
on the credit card security front that I read you quoted as saying in one of
the articles in our show notes today. (Those of you viewing and listening can
access all that information at delicious.com/thisweekinlaw/246.
All our links are there.) That is this question, and I think it does go to,
since we’re on the topic of Legislation and Policy right now, it does go to
whether government is going to step in and make some decisions about how secure
credit card data has to be. The comment that you made had to do with the market
getting flooded with credit card data, because so much hacking has gone on,
that we might actually see a diminution of the hacking because it’s just not
attractive any more. There’s all this information out there, and the price goes
down.
Nicolas: Yeah,
it’s a theory, but it’s something that we’ve seen in the past. A couple of
years ago I think it was, around 2010, if you wanted to buy a Visa or MasterCard
online – a fraudulent one – you would have to pay maybe $2 for it. I checked
recently on how much those were going for, and at least on one forum that I was
checking a few days ago, it was $10-20. So those are commodities that are being
traded much like any other commodity, and the fact that they are illegal, the
fact that they are fraudulent, doesn’t change anything to the basic law of
economics: supply and demand. And the more those cards are getting compromised,
the more of them [that] are being stolen, if you will, the more you’re
increasing the supply (unless you are very, very careful about not divulging
too many of those credit card numbers too quickly). So as soon as we increase
supply, unless the demand also increases at the same time, what you’re going to
see is a reduction in the price that you can ask for things. It’s worth
wondering if it’s going to remain a profitable endeavor for people to actually
steal that many credit cards. If we are very quick – and by “we” I mean banks, regulators and so forth – if we are very
quick, if you flag a stolen card as bad, so that no one can use it, if you go
online and purchase that credit card and spend maybe $10 on something that
actually doesn’t work, you’re unlikely to return as a customer. Or, if you do
return, you’re going to ask for the exact same goods, but maybe for ten cents.
So what I’m wondering (and again, it’s a hypothesis, I don’t know if that’s
going to be true or not, we need to measure that over months and years, to
figure out whether these economic dynamics also apply there), but what I do
wonder is whether or not we’re going to see actually an oversupply of
fraudulent credit cards that are not very useful to people because they’re
immediately flagged, and if you use them — well, basically, you end up in jail.
So, that’s the main question, right? And if that is the case – and if people cannot sell those
credit cards at a high premium – then they’re not making money out of it, and
maybe it’s more profitable for them to try to break into some computers, to
sell computing cycles, or anything else that their skills can allow them to do.
Denise: Yeah. I
think it’s a fascinating idea, and it’s something that regulators should bear
in mind, I think, when they’re considering how to deal with this problem. Do
you know if anyone… You said that there’s a good deal
of study that would have to take place before we would know if that were, in
fact, happening. Do you know of any scholarship that’s going on, on that issue?
Nicolas: Yeah,
there are definitely a number of people that are monitoring the economics of
online fraud, and it’s a pretty vibrant research area. Mostly, I would say,
coming from computer scientists, like myself. That’s the community I am most
familiar with. But now we start seeing economists and even sociologists getting
interested in that.
Denise: Yeah, I
thought it was a fascinating idea. Alright, another idea that has been floating
around this week is notion that Comcast would buy Time Warner, for $45 billion
—$45.2 billion. That seems to be what the companies want to do. There are a
couple of legal angles to it, the most obvious one being whether regulators
will let this go forward from an anti-trust standpoint, and the notion too of
Net Neutrality that comes up time and time again (whether that would be
impacted by the consolidation of these two very large cable companies in the
United States). Anupam, I know this is not
necessarily your primary area of study, but when two large telecommunications
companies decide to merge and take charge of the information flow to a country
like the United States, it’s certainly a big deal. Do you think that regulators
could or should put a stop to this?
Anupam: It does worry me when we reduce,
again and again, the number of major information intermediaries that we have —
people who are providing the plumbing to the communications that you and I are
engaged in. I use Comcast at home. I switch back and forth between AT&T and
Comcast, basically… find essentially just where my boiling point with my ISP
comes to the point where I have to switch, and then I switch over the AT&T,
hoping I might find something else better but never actually being satisfied.
Our Internet, our phones, our communications are far more expensive in the
United States than they are in many other parts of the world, which have better
communications. So, I am really uncomfortable with where we are right now.
Unless they promise that they will reduce rates by x %, rather than raise them
by 2x (which is the worry), I am quite skeptical. I was skeptical when XM and
Sirius merged – I use satellite radio – and I remain quite concerned here.
Denise: Well, the
rate piece seems to be something that Comcast is floating out there to try and
dodge under the FCC stepping in and doing any kind of anti-trust regulating
here, because apparently, Comcast has an access program that provides
need-based, reduced rates that would then be extended out to the Time Warner
customers as well. They’re holding that up as a good thing. “This is in keeping
with your goals, FCC, of increasing access.” They’ve also promised, on the Net
Neutrality front, that the representation they made – that Comcast will abide
by the now-defunct Open Internet Order for an undetermined period of time –
would apply to Time Warner as well, if they were to take it over. Does any of
that give you more assurance about this idea?
Anupam: I am skeptical, entirely. Providing a
lower-cost service may well just be a profit-maximizing move; it may be a way
to segment your market so that you can extract the most rents from both sides.
Essentially, if you are providing — typically, if you are providing a service,
you would like to price-discriminate among your richer, more desirous
customers, and your poorer customers when the marginal cost of production is
below what even the poor person might be willing to pay. That may well be the
case here. So, I’m not sure that having Time Warner adopt this strategy as well
is such a benevolent act. It may just be something that Time Warner does
eventually, on its own, regardless, just as a profit-maximizing move.
Denise: Kevin,
what do you think about all this?
Kevin: [laughs] I
am sort of very “of one mind” with Anupam on all
this. I am glad I’m not a Comcast customer currently. I’m not a Time Warner
customer either. So I’m very happy, in that regard. Net Neutrality has been an
issue that’s been forefront for me, and for some of our clients, and it
certainly is something that I’m concerned about. Just the fact that they give
lip-service to it in these announcements shows what an important issue it is.
We’ll have to see what the Net Neutrality guidelines come out to be down the
road. But for right now, it’s just a trust and a handshake between some of
these companies, and having less players involved is a problem. I know that
when Netflix posted this list of the ISPs that have the worst rates for data on
its own streaming, Netflix says that Comcast is always the lowest of the people
on their list. I don’t see that type of service improving. Now, Comcast claims
that they don’t throttle Netflix, but something is causing them to be a lot slower than all the other ISPs, and—
Denise: Right…
Something’s going to give, somewhere.
Kevin: Right.
Denise: If
Comcast and Time Warner do merge this way, and control so much of the US
market, and they don’t reduce rates
(it doesn’t seem like they’re coming out and saying “That’s what we’ll do, in
order to accommodate this,” much as Anupam might
think that might be a good idea), then they’re going to find a large number of
people trying to rout around — cord-cut, get their entertainment without having
to go through a cable company. But in order to do that, they’re still going to have to go through an
Internet company.
Kevin: Right.
Denise: And
there’s the rub.
Anupam: Can I just talk about the price
issue?
Denise: Yes!
Anupam: It’s not unheard of for a company to
say, when it wants something positive from a regulator, “We will reduce our
prices in the future.” I worked on a privatization in the Philippines, where it
was the water company that was being privatized and of course, any time you’re
going to privatize some big utility like that, the biggest worry is going to be
that the private entity is going to come in and raise your rates, because
there’s only one option to get water. What they did – the way we ran this
privatization – was we said “What is the discount on the current rate that you
will offer?” We also had benchmarks on how much they had to expand the coverage
of water services. So, I suspect that there are huge economies of scale here,
but I think they should be saying, essentially, “We will make consumer lives
better, and we promise to do that for the next twenty years. Our rates will be kept
lower than they are now, because you will share in the benefits of the
economies of scale that we’re receiving.”
Denise: God, I
hope so, because the rates are just so through-the-roof. I don’t know how the average American wage-earner even affords cable TV. Basic cable TV is over $100 a month, at least where we live. It
just cracks me up – and makes me cringe – every time you hear one of the ads
that the cable company (whichever one it is) puts on, talking about how
something is “free, for you, the viewer.” Nothing is free! [laughs]
You’re paying through the nose for your service. Whatever it is they’re
providing you, you’re certainly compensating them for. Nicolas, do you have any
thoughts or opinions about this merger?
Nicolas: On this
merger itself, I think that the points that were raised before were
interesting. I think that I started to have some doubts after – a little bit of
unease when – cable service providers like Comcast start to merge with Internet
Service Providers like AT&T, and with content providers getting their feeds
from NBC, and things like that. I think that, so far (again, price is a
different thing, but in terms of control), we’ve been ok, even though there was
a great deal of anxiety when those previous deals occurred. But you’ve got to
wonder if we are at the tipping point, or not. It’s now so concentrated we are
definitely, perhaps not yet in a monopoly situation, but we are getting closer
and closer to a very small oligopoly. That’s always worrisome.
Denise: Alright. Well,
let’s move on from information being provided to use at varying speeds by cable
companies, to information that is residing in and being used by Facebook, and
that has to do with the Social Web.
[Segment music plays]
Anupam: [as music plays] So, Denise, I need
to go in a couple minutes…
Denise: Sure!
That’s Anupam, You need to leave us, depart and leave
us, shortly?
Anupam: Yes, it’s Valentine’s Day, and I have
lunch with my wife.
Denise: Oh, good
for you! Yes, this is truly This Week in Love, then. We can let you go whenever
you’d like. We can let you go now, if you need to.
Anupam: I will, I will.
Denise: Ok.
Anupam: I’m going to leave this in the very
capable hands of Kevin and Nicolas and, of course, your hands. With respect to
Facebook, I should just put in a plug: There’s a whole chapter, called “Facebookistan ,”
in my book, The Electronic Silk Road.
The book is $19 on Amazon, so it’s pretty cheap for a law text that’s actually
quite serious. So I hope that people will buy it.
Denise: Yes! Your
book — we’re doing it early, since you need to leave us. Your book is one of
our Resources of the Week this week, so we will encourage people to go out and
check it out. Thanks so much for joining us today, and for all your thoughts
and insights. We hope you have a lovely lunch with your wife!
Anupam: Thank you. Thanks Denise, it was
great. Thank you. Bye.
Denise: Ok, bye.
Alright, so on the Facebook front: Anupam was saying that he doesn’t even put his data in there. I know others of us have
been far too eager to put our data in, and others are waiting in the wings, as
young people are growing up. Whether or not you buy into the arguments that
Facebook is no longer relevant to young people, I think there is still some
sort of appeal there. Certainly, the fact that they’re not able to access it
until they’re thirteen years old make it into this sort of mysterious thing
that they at least want to try out. There has been a settlement, that we have
discussed on the show before, in the Frayley v. Facebook class action, that had to do with sponsored stories
and using people’s name and likeness in promotional bits on Facebook without
their express consent. That was what the lawsuit alleged. It settled. Facebook
never admitted liability there, and I think would have put forward arguments
that its Terms of Service covered it for what it was engaged in. Rather than
have a large and public trial, Facebook did settle the case, and the Ninth
Circuit Court of Appeals has approved the settlement. So all appeared to be
moving along as planned, and shortly, your $10-15 may be coming your way, if
you were a Facebook user who was impacted by sponsored stories at all. A
last-ditch flag has been thrown on the play by some public interest groups,
including Public Citizen and others. They would very much like the settlement
overturned, because of the minor piece — the fact that, going forward, Facebook
intends to cover this issue in its Terms of Service by having minors represent
to Facebook that their parents have authorized the use of their name and
likeness for advertising by Facebook without any express consent from the
parents. This is something that Facebook has to worry about – getting consent
from minors – because, even though Facebook is entitled to gather information
from those under the age of eighteen and over the age of thirteen, under the
Child Online Privacy Protection Act (COPA), it is not entitled to make use of
that information without express parental consent. So, this whole notion that
you could have a child saying “Oh, my mom says that this is ok. My mom and dad
say that this is ok” is giving a huge amount of pause to these public citizen
groups. They have filed a brief with the
Ninth Circuit asking that the settlement be set aside, and other amicus briefs
are being filed in support. I’m not sure how optimistic I am that anything will
happen with this, but it’s an interesting point, this notion that the Terms of
Service, going forward, have this clause that kids are representing that
parents approve. Several states expressly have laws against gathering consent
in that way. Kevin, what do you think about this late-in-the-game “Hail Mary”
that’s going on here? Do you think it has any chance of success?
Kevin: I’m
curious to see what the other amicus briefs that are filed on this — you know,
the position they take, whether or not they truly support this argument. I
think it’s certainly a concern, especially since there are some states that
explicitly prohibit this type of consent. Personally, within our family, we’re
struggling with this issue. My oldest son is now thirteen and he has asked,
more than once, when can he start a Facebook account. So we’re struggling with
that issue ourselves: Do we consent, or do we not, to him even having a page in
the first place (much less whether or not we’re going to consent to the use of
his image in advertising)? We’ll have to see how that all plays out. That
aside, I think they do make a very good point, that it does violate the law in
those states, and I’m curious as to what the Ninth Circuit does with that.
Denise: Yeah, it
sure will be interesting to watch. We’re talking about two different legal
problems that your family is facing, Kevin: Your thirteen-year-old, if they want to — you have your own laws within your
family, but as far as laws that impact Facebook go, Facebook is ok if they let
your thirteen-year-old sign up. It’s just a question as to what sort of consent
to use of their data they have to obtain if they’re going to make use of them
in ways such as sponsored stories does. Nicolas, do you have any thoughts, or
want to weigh in on Facebook and kids at all?
Nicolas: Well,
it’s really more of a legal problem than a technological problem.
Denise: Right.
Nicolas: The
issues of consent, of license agreement — that actually, I have to say, that
completely falls outside my area of expertise. I’ve got opinions, but they are
not professional opinions.
Denise: Gotcha;
we’ll let you off the hook on that one. Let’s move on to our Tips — actually,
let’s do one copyright story before we move on to our Tips and Resources of the
Week.
[segment music plays]
Denise: Kevin
mentioned [that] we have everything from the NSA to “Flappy Bird” in the show
today, so I don’t know how we can’t talk about” Flappy Bird,” at least briefly,
because there is a little legal gloss on this. There’s no sort of proof of this
at all, and Nintendo is just calling it “rumor,” but… Just to bring people up
to speed, if you’re not aware of what “Flappy Bird” is: it is a game developed
by a gentleman in Viet Nam that was quite popular, was bring him some $50,000 a
day in ad revenue. I’m sad to say that I did not get onto this quickly enough
to download it before it was no longer available, but it is no longer available
now. Its founder says that this has nothing to do with legal issues, but some
of his colleagues (or acquaintances or friends) told Reuters that, in fact, he
had been contacted by Nintendo, because of a resemblance between the game and
“Mario Bros.” Nintendo says “No, no, that’s just rumor, we’re not confirming
anything,” but it could well be that the sad passing of “Flappy Bird,” which
has had several people wringing their hands during this week, did have some
sort of legal aspect to it. Kevin, were you able to get in on it before it was
gone?
Kevin: Yeah. My
oldest son, actually, about two days before the announcement was made, asked me
if we could download “Flappy Bird,” so we hopped on the bandwagon then. Then I
had to tell him, “By the way, your timing was great,” because about two days
later was when he made his announcement. Personally, I can’t say I’ve had a
chance to play it yet, but I think his comment was it is indeed a frustrating
but addicting game to play. So, I can see why… You know, if you read the author’s
statements on it, the fact that it was simply too addictive of a game, and not
something he wanted to be associated with going forward. From a legal
standpoint, I’ve thought about this a little bit… The bird flaps along, the
background is these pipes which look, oddly enough, like pipes from the “Mario
Bros.” games, and whether it’s—
Denise: Do they
go into the pipes, and are there mushrooms?
Kevin: Not as far
as I am aware of. I don’t think they go into them at all, and I don’t think
there are mushrooms. I think they’re just an obstacle to avoid. I think if you
hit the pipe, you fail.
Denise: Mmm-hmm…
Kevin: So that’s
the issue there. I’m not sure… I think some of them, maybe, gusts of wind and
things like that come out, but I’m not really sure on that particular point.
That being said, it’s more of an homage to “Mario
Bros.” Whether Nintendo would really have a cognizable copyright claim on just
merely the pipes… It’s more of a functional aspect of the “Mario Bros.” game,
as opposed to a truly original expression… Perhaps the color
of the pipes? They’re that odd green color that you find only in the
“Mario Bros.” game, so you don’t really find too many real pipes that are that
shade. I think perhaps that might nudge it a little bit more towards creative
expression, but Nintendo has said publicly that they didn’t send any such thing
— or at least that they can’t confirm or deny that anything was ever sent. It’s
an interesting question but, ultimately, would this be the reason to take it
down? I’m sort of skeptical on that.
Denise: Over in
IRC, we’ve got a great comment here… Oh, I just lost track of it, where is it…?
I forget who said it, but – oh here we go, it’s “synak” - “Bought
‘Flappy Bird’ with Bitcoin, only to find out it was
an NSA back-door!”
Kevin: [laughs]
Denise: That
pretty much sums up the whole show today. [laughs]
Yeah. It does seem like an interesting legal issue that we’ll never actually
see resolved, because the game is not available (and I doubt Nintendo would
take any action based on what had happened to date). But yes, the question of
the copyright-ability of the green pipe, I guess, will have to be shelved for
another day. Or, I suppose there could be trademark ramifications as well.
There are certain aspects of “Mario Bros.” that I’m certain Nintendo has
trademarked, too. I don’t know if green pipes would be among them, as some sort
of logo or symbol of the game.
Kevin: Hmmm. Do
you think this might rise to the same level of colormarks?
Denise: Yeah.
Kevin: The
pixilation, or something like that?
Denise: Something
like that.
Kevin: I don’t
know if it would reach that level of consumer awareness, but certainly, among
the geek community, you see green pipes, you think “Mario Bros.” So it’s
certainly got niche fame.
Denise: Yep. Nicolas, thoughts?
Nicolas: Well, I
wonder if the guy took it down because of the threat of legal action, or simply
took it down because he was uncomfortable with being the center of attention
that he has been. I mean, this is a guy who went from being completely unknown
to making $50,000 a day, in a country where $50,000 is actually more like $5
million for us.
Denise: Right.
Nicolas: So, you
may end up yourself being the target of some attention that you don’t
necessarily want.
Denise: Yep,
excellent points. Let’s make “Flappy Bird” our second – as an
homage to the parting of “Flappy Bird” – our second MCLE passphrase for
this episode of “This Week in Law.” We have some Tips and Resources for you…
Actually, just one tip, and it has to do with
trademark law, and another story that was much in the news all week, quite a
nice trademark stunt that’s been playing out in my neck of the woods, in
Southern California, the “Dumb Starbucks” story. Lisa Borodkin was just on the show with us, and she has a great article – my favorite coverage of this by far - in the Guardian, where she basically
sums up what happened. “Dumb Starbucks” opened in a mysterious kind of way,
using all of the Starbucks logos, but putting “Dumb” in front of everything,
right down to the music CDs that were available for sale. It turns out to have
been a publicity stunt by Nathan Fielder, who has a funny show on Comedy
Central where he’s giving out bad business advice. Certainly, using Starbucks
trademarks without authorization would fall into that category. [He] had this
whole kind of performance-art thing going on, where he made it, if this is
indeed a legally ok parody, he has some strong claims
to that. Fortunately, this doesn’t seem like it’s ever going to be litigated.
As Lisa points out in her article, Starbucks did not pull the trigger and sue.
They did issue some statements that were pretty smart all around, but of
course, no one — they sort of took the whole “likelihood of confusion” part of
trademark off the table by saying that they didn’t think that people were
actually confused about the fact that this could have been a real Starbucks or
not. They did say “We’re not making any decisions at this time. We’re not going
to take legal action right now, but we’re not ruling that out,” and they did
not fall prey to jumping on this and giving it even more publicity than it already got during the week. So, our Tip of
the Week on this is it’s smart to take a “wait and see” kind of approach, as
Starbucks did, when you see a very high-profile and flagrant use of your
trademark in the marketplace. It turns out strategically, I think, it would be
hard to argue that Starbucks did anything but the right thing here. Our friend
Marty Schwimmer, who is our resident trademark
specialist who comes on TWiL from time to time,
tweeted this morning an adjunct to our tip, a fairly useful maxim: “Lawful
parodies remind you, they don’t deceive you.” It seems like that’s what was
going on here. Just to add a couple more tips to our tip: I really enjoyed
Lisa’s article too, not just because of the substance of it, but the fact that
she reminds folks in the article that she was, at one time, a Starbucks lawyer,
so she gets that disclaimer out in the actual text, and then at the end has
further disclaimers that she’s the shareholder of four shares of Starbucks
Corporation, and a gold-level Starbucks cardholder. So you know all of her biases are on the table
there. Let’s move on to our Resource of the Week. We mentioned one, and that is The Electronic Silk Road, the
wonderful book by Anupam Chander.
Go check that out if you have not. It talks about binding the world together in
commerce via the Worldwide Web, and is a fascinating look at the way the Internet
functions internationally, and the way that policy and regulation can impact
that function. Also: just for fun, in honor of This Week in Love this week, we
threw this in (again, you can pull this up at delicious.com/thisweekinlaw/246)
“The Hidden Legal Traps of Valentine’s Day.” It’s an article – with a great
graphic, that I believe you are seeing now, if you’re watching the show, of
poor Cupid biting the dust (on his own arrow no less) – of the various hazards
in the workplace brought about by Valentine’s Day and how, while it’s fun to
give Valentines, you definitely need to be careful. There are some statistics
in this article that lay out why. So, be careful. It say that 31% of those
workers surveyed said they received a Valentine’s Day-themed gift from a
coworker (including balloons, flowers, candy, singing telegrams, etc.), but
this article points out that if you are a coworker, perhaps the person sending that romantic item shouldn’t be you. This
can not only get you in trouble with your coworkers, but in your personal life
as well, if you’re showering your coworkers with gifts that perhaps your
significant other might not approve of. So… Happy
Valentine’s Day, everyone, it’s been fun to spend it with you, and we hope that
you make safe and sane decisions in your celebrating the holiday today.
Nicolas, it’s been so fun chatting with you. Let us know if there’s anything
coming up that our viewers and listeners might be interested in knowing about,
whether it’s something you’re working on, a talk at Carnegie Mellon, just
anything at all that might be of interest that we haven’t touched on yet.
Nicolas: Not at
this moment, but I certainly will let you know in the future, and thank you
again for having me.
Denise: Sure! Oh,
it’s our pleasure. We really appreciate your coming on, and helping us
understand all of the hacking that’s been going on lately, and get a better
perspective on that. Kevin, always great to have you back on
the show.
Kevin: Well it’s
always great to be here, thanks again for having me.
Denise: It’s been
a pleasure. Anything going on with you that you want to let people know about?
Kevin: I was just
thinking about that, when you asked Nicolas. I don’t think anything major… I am
going to be speaking at ABA Tech Show, coming up at the end of March, on cloud
computing and some of the risks of that from a legal standpoint. But that’s a
lawyer conference, and certainly, if there’s any listeners from the show that
are also at the conference, don’t be afraid to look me up and say hello.
Denise: Alright,
thanks so much, Kevin and Nicolas. Thank you so much, Anupam,
for joining us, although you have departed and are already celebrating your
Valentine’s Day. Once you get done with your celebrating, you may be wondering:
“Where can I get more of this thing called ‘This Week in Law?’” If you head on
over to twit.tv/twil, you’ll find our whole archive
of shows there. We’re also on YouTube, at youtube.com/thisweekinlaw.
We record the show live every Friday at 11 o’clock Pacific time,
18:00 UTC, and we love it when you join us live. You can just go to twit.tv and
it will be what’s live on the stream at that time. Whether you’re joining us on
your own time, or are with us live, we greatly appreciate your participating in
the show. We could not do the show without the great suggestions and comments
and fun that we have going back and forth with you folks who tune in each week,
or as often as you can. We’re so glad that you do. Please let us know what’s on
your mind about the show. You can email me, I’m denise@twit.tv.
Co-host Evan, who couldn’t be here this week but will be back next week... In fact, I will be out next week, so Evan will be here next week hosting the show while
I’m out of town. So look for him, and email him, at evan@twit.tv. He’s @internetcases on Twitter, I’m @dhowell over there, and you should
find us on Facebook, if you’ve been brave enough to consign your data to that medium.
Also, on Google+, too, we’ve got a community, and page over there if you have
more information to get us, in more of a public forum. We love hearing from you
about what we’ve discussed on the show, what you think we should discuss on the
show, guests you think would be great to compliment the topics that we cover…
All of that is very, very welcome, so keep it coming, and have a really
wonderful Valentine’s weekend, everyone. We’ll see you next week!
